hxxps://www[.]xerox[.]nl/nl-nl/over-ons/accountmanagement/ondersteuning-op-afstand

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.xerox.nl/nl-nl/over-ons/accountmanagement/ondersteuning-op-afstand

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133571189171183276"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1364	chrome.exe
1364	chrome.exe
6140	chrome.exe
6140	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1364	chrome.exe
1364	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 4304	1364	chrome.exe	91
PID 1364 wrote to memory of 4304	1364	chrome.exe	91
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 3572	1364	chrome.exe	95
PID 1364 wrote to memory of 1096	1364	chrome.exe	96
PID 1364 wrote to memory of 1096	1364	chrome.exe	96
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97
PID 1364 wrote to memory of 3340	1364	chrome.exe	97

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.xerox.nl/nl-nl/over-ons/accountmanagement/ondersteuning-op-afstand
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff858db9758,0x7ff858db9768,0x7ff858db9778
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1868,i,2802906465575457379,9868431552876027727,131072 /prefetch:2
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1868,i,2802906465575457379,9868431552876027727,131072 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1868,i,2802906465575457379,9868431552876027727,131072 /prefetch:8
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=1868,i,2802906465575457379,9868431552876027727,131072 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2932 --field-trial-handle=1868,i,2802906465575457379,9868431552876027727,131072 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 --field-trial-handle=1868,i,2802906465575457379,9868431552876027727,131072 /prefetch:8
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 --field-trial-handle=1868,i,2802906465575457379,9868431552876027727,131072 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2452 --field-trial-handle=1868,i,2802906465575457379,9868431552876027727,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6140

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3348 --field-trial-handle=2256,i,18272763564106695635,11201593968620719822,262144 --variations-seed-version /prefetch:8
1⤵
PID:5868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
410ced98afed7371e34bccd843c20482

SHA1
4f83ceac5080f7dbfd46231b2e99cf84394180fe

SHA256
61d860c8d7c9298ff15c2276cb43a40800d07586c1fa27395b4080fa661e8ff8

SHA512
7339cc6fdb232c85dcd5132443c1b88e8daa58cd5aad3cfa5bb357fc981ae0b9a814a73c9d51a5637eb4ebe20cd3b070b4db46025426f30b36ce4bc8b165081d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
50d18da974614158c6dfa67497ab2819

SHA1
b88a14339179ede0e9a2ef542c44f9c2170ac9d1

SHA256
ee24c280e510cce6ca5b705f973d0336136c9d5bc7b5ae6e3836a2d5600fcf18

SHA512
93e6edf467fa84d41eca457875147a6ad90ae47385f2aeea8eb90cbd9c0667c9b3feedc4caa0eb749031a4f6ecccbe2761b71c9f27698de5327c6a0e65077846

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f1941487d03db792f1c6d9848ba74b50

SHA1
21ffb55530ba7513a117161024b392671600fe4c

SHA256
ff58951ce530d6fdfb9231e1126a0753a617df4ac601dcf5f226d26eb9338186

SHA512
5c25ec4849b4d7a79960a93385c518bfacf46faa04d8c611da83c9a3bc0ffe9e7f4cb5b34b35c897fdfbe7c1d8a793ad380db958ed4d88eae63ba80863def336

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
70131a203257a1ebb8818353a0b4f158

SHA1
42bd457c1b305beeff1c20eca66370fdb9c78a76

SHA256
87318975e75e70e576d3f53ef663bf91f6117f6c9bbd607ab9330195d7bc78ae

SHA512
ee673474d00a8d0b8a5e70a05c6265f1264ccbe19ca70668fcf1f5e9b9d8efa143e38fe412ab2e035fd7c0600a1320195565d9ecca7f2234975e28bb6db15009

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
59ce74a3cae65ebb312f1674951c41e9

SHA1
521178a0fda8b5fd4f600f704b48b2857dcafeb5

SHA256
7c8f1cbb8244ffd7fcc61df31f2183964b47b4b46254bd5da4e0d71eedd8301d

SHA512
ff830f4253aebcb28ffc7546ba323141bf2964fe1cdd0ec61c4770b29a6990a5d766a71bb65d68c07bd00775587b9744b6b0872643e20cb22c480148a35f8141

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
62958bb51d9bd33e2907444e475a1e07

SHA1
ae69e24233d128fae536881f7646939d0c29e026

SHA256
3a353cadac741f67e6ec76506e9cbbbc2fd9ab22b7d01cf1e137eafb3b37fdc3

SHA512
22e452a11507833ff6d5b010b166334fcaca1a098aa83c41988ef851fb11094b9f8fbdb5ada23556788d9da181de37b48f2b56e048a4f2f7b8192bae5fc387b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit